CYBEROAM

1
Changing Battleground Security Against Targeted
Low Profile Attacks
Amar Mehta Manager-International Business
Development Cyberoam
2
Presentation Sketch
Changing Battleground Shift Towards Targeted
Attacks Identity-based Heuristics The Suggested
Solution Conclusion
3
Changing Battleground
4
Evolution of the Real Battleground

• Evolving Trends in war and the evolution to
  todays tactical battle
• A shift from Mass Attacks to Targeted Attacks

5
Evolution of the Virtual Battleground
6
Understanding this Change
2009
7
Understanding this Change
8
Narrowing the targets Attackers Working Smart

• Motive of the attack
• To target Regional players and individuals to
  escape attention
• Attacks driven by financial motives
• To steal confidential information from specific
  companies - Identity theft
• Who are the victims?
• Small corporations, Key Individuals
• What are the attack vectors?
• Spear phishing exploiting individuals trust
• New hybrid combinations - spy phishing

9
Narrowing the targets Attackers Working Smart

• Examples
• Bank Of India
• ICICI Bank
• ABC, XYZ

• Do you know about them?
• Have you heard about such small regional attacks?
• Such Attacks Fly under the radar
• Have a prolonged Lifespan
• Cause significantly high financial damage to
  Victims

10
Targeted Attacker Profile

• Insiders
• External attackers

11
Targeted Attacker Profile - Insiders
Insiders

• Role
• Initiators
• Victims
• Conduits
• Reasons
• Malicious Intent - Greed
• Disgruntled employees Vengeance
• User Ignorance

12
Targeted Attacks by External Attackers

• External Attackers getting insider information
• Targeting insider victims
• Targeting insiders as conduits

13
Why are Targeted Attacks Succeeding?
Hackers on easy street

• Publicly available vulnerability information
• The Toolkit business
• Research Easy access to information from public
  and internal resources

• Todays network scenario
• Fluidity of the network perimeter which opens it
  to partners, customers and more
• Employees have access to business critical
  information
• One cannot help not being (i)n the Net

14
Why are Targeted Attacks Succeeding?

• Traditional products inability to detect the
  threat
• Detection of only massive or reported attacks
• Small scale attacks cant grab media attention,
  go unnoticed, thus expanding attack life span
• Signature-based solutions
• Well-planned, pre-defined selected small target
  group unlike the mass attacks

15
Why are Targeted Attacks Succeeding?

• Unable to Identify the Human Role
• User as a
• Victim User Ignorance, Surfing Pattern, Loose
  Security Policy, Trust, Lack of Education
• Attacker Malicious Intent, Vengeance, Greed

16
Stopping the attackers - Identity-Based
Heuristics
17
First things first A Multi Layered Security
Approach

• Security at the Desktop
• Desktop Firewall
• Host IPS
• Anti Malware
• Application Whitelisting
• Do not Forget the Network
• Firewall
• Network Anti Malware
• Network IPS
• Traffic Whitelisting

18
Evolving Towards Identity-Based Heuristics

• User identity An additional parameter to aid
  decision making
• Who is doing what?
• Who is the attacker?
• Who are the likely targets?
• Which applications are prone to attack who
  accesses them?
• Who inside the organization is opening up the
  network? How?

Building patterns of activity profiles User
Threat Quotient
19
User Threat Quotient - UTQ

• Calculating the UTQ
• Rating users on susceptibility to attack
• Nature of user activity
• History of activity normal record access
  number and type (customer data / research
  reports/..)
• Current status new employee, terminated , etc.
• Analyze Who is doing What and When
• Use of anonymous proxy
• Downloading Hacker Tools
• Accessing data off-hours
• Amount of data accessed

20
Technical Preventive Measures

• Use Network Activity coupled with user identity
  information to
• Identify deviations from the normal acceptable
  user behavior
• Red flag malicious activity based on UTQ
• Context of activity repeated wrong password
  attempts by new vs. old employee
• Get Intrusion alerts with user identity
  information
• Correlate data, e.g. using Bayesian inference
  network
• Use Identity as a decision parameter in security
  rules and policies

21
Use UTQ information for Soft Measures

• Individualized education based on UTQ information
• Educating to Key persons having access to
  business critical information
• Educating the employees as their role evolves
  joiner, moving up, quitter

22
Conclusion

• Threat landscape is shifting
• Current solutions need to change
• Need to leverage user Identity information for
  proactive control

23
Identity-based Unified Threat Management
A solution to fight against multiple attacks and
threats
24
Cyberoam Layer 8 Firewall (Patent-Pending)
25
Identity-Based Technology
26
Cyberoam Identity Based Security
Cyberoam is the only Identity-based Unified
Threat Management appliance that provides
integrated Internet security to enterprises and
educational institutions through its unique
granular user-based controls.
27
Cyberoam CRi UTM Appliance Range

• Large Enterprises
• CR 1500i
• CR 1000i
• CR 500i
• Small to Medium Enterprises
• CR 300i
• CR 200i
• CR 100ia
• Small Offices
• CR 50ia

28
Basic Appliance

• Identity-based Firewall
• VPN
• Free SSL-VPN
• Bandwidth Management
• Multiple Link Management
• On Appliance Reporting
• Basic Anti-Spam (RBL Service)
• 85 Tech Support 1 Year Warranty

• Subscriptions
• Gateway Anti-Virus Subscription (Anti-malware,
  phishing, spyware protection included)
• Gateway Anti-spam Subscription
• Web Application Filtering Subscription
• Intrusion Prevention System (IPS)
• 24 x 7 Tech Support Warranty
• Subscription services are available on 1 Year, 2
  Year or 3 Year subscription basis

29
Cyberoam Central Console CCC Series

• Reduces operational complexity and deployment
  time
• Minimizes errors and lowers administration cost
  Enables the MSSPs to have different personnel for
  managing different customer deployments
• Ease of use with view of multiple devices and
  network status at a glance

30
Cyberoam iView (Cyberoam Aggregated Reporting
Logging Software)

• Free (Open Source) Available on Sourceforge.net
• MSSP / Enterprise would be able to aggregate the
  reports of various customers / offices.
• Aggregation of logs and data from multiple CR
  appliances as well as other competitor
  appliances
• Centralized storage of reports and log data
• Compliance-based Reporting Forensic Analysis
• User-wise web surfing reports
• Real-time Monitoring, Alerting and Analysis
• Over 500 Drilldown Reports
• Reports in HTML, MHTML, PDF, CSV formats
  Email Alerts

31
THREATS HAVE NO WAY TO HIDE NOW.
amar.mehta_at_cyberoam.com